Re: [Doh] Seeking input on draft-03
"Hewitt, Rory" <rhewitt@akamai.com> Thu, 08 February 2018 19:22 UTC
Return-Path: <rhewitt@akamai.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A002B1270AC for <doh@ietfa.amsl.com>; Thu, 8 Feb 2018 11:22:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.709
X-Spam-Level:
X-Spam-Status: No, score=-0.709 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Nioq1STfMJE for <doh@ietfa.amsl.com>; Thu, 8 Feb 2018 11:22:34 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D66EB126CF6 for <doh@ietf.org>; Thu, 8 Feb 2018 11:22:33 -0800 (PST)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w18JH9A0012143; Thu, 8 Feb 2018 19:22:28 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=9nNQ9w3GJU95pmKlQzlYU4bL82hD/aVzEqn6gJN1fk4=; b=laHBoR/59Lfb3kiVo5yi0nyZoxDuuggdQii25eL8meydyEt6eG1y5AO8iGA/tF1yMqoC cFeJbRFZETEv6kd3F1l9QM6T2kRO3Yrot/wkYp8vep5vy6gkK0fkP/XAwQYa2U+Oc6pQ vUro/i3bX/fsju6FdziLfaJePLmJOgvl/K0xLL/Hi8iIOV5gppYyEWeZlY29XXFuAee7 12RZykLWiGQF0VoRaryD8KWE6uxiAGngv79i4hb2TM8V6OZmjy003g5fLwdz+8B7A2id Sxk1ZY4MfZPk5pmELB0e4/Czgdnz0JfLZ+8g/jMqbAe9vI2EBIQbuIdrPvY5xuQlX9mT rw==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18]) by m0050102.ppops.net-00190b01. with ESMTP id 2g051xkr95-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 08 Feb 2018 19:22:28 +0000
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w18JKpOZ011951; Thu, 8 Feb 2018 14:22:27 -0500
Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint1.akamai.com with ESMTP id 2fw9a0aq91-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 08 Feb 2018 14:22:26 -0500
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 8 Feb 2018 14:22:25 -0500
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1263.000; Thu, 8 Feb 2018 14:22:25 -0500
From: "Hewitt, Rory" <rhewitt@akamai.com>
To: Justin Henck <henck@google.com>, "ek@google.com" <ek@google.com>
CC: Ben Schwartz <bemasc@google.com>, "doh@ietf.org" <doh@ietf.org>, "mbishop@evequefou.be" <mbishop@evequefou.be>
Thread-Topic: [Doh] Seeking input on draft-03
Thread-Index: AQHToQduweN2QsT0vEuAdp25IbWfnaObIiGAgAAC4YCAAAmgAIAAAOGAgAAFBAD//6ydYA==
Date: Thu, 08 Feb 2018 19:22:24 +0000
Message-ID: <f718b5d15a564d63a0e46543e1d56fbd@usma1ex-dag1mb3.msg.corp.akamai.com>
References: <CAHbrMsDwWvtcZy8fpg9gs3o+gc_umi9okJW6rvv+s4T7K9-sVQ@mail.gmail.com> <MWHPR08MB2432FFCE097EBBB1279EAC2EDAF30@MWHPR08MB2432.namprd08.prod.outlook.com> <CAHbrMsCD4-Syy4+5PhC_c0K5TLR25gMUO5cxJUT3gC8=uT4GpA@mail.gmail.com> <CAN-AkJsdu05PWFSC2CBGEWk_8dEUsvy2GUQ6rRcc09Xbp0kS6g@mail.gmail.com> <CAAedzxqUE7AzioT5gJJs_sjq0GQjUZyhr4JBZTAv6pQjf32g6w@mail.gmail.com> <CAN-AkJsDba0qf7raYBAwbQK7F6Ov=6CXVVcAK=fFRrfRupmp4g@mail.gmail.com>
In-Reply-To: <CAN-AkJsDba0qf7raYBAwbQK7F6Ov=6CXVVcAK=fFRrfRupmp4g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.113.242]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0371_01D3A0CF.1767F640"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-02-08_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802080224
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-02-08_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802080223
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/1iztKFIjZq3Gb-KE0i1nt5lES1U>
Subject: Re: [Doh] Seeking input on draft-03
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2018 19:22:37 -0000
Additionally, using /.well-known/ would allow for URI Template discovery, if required - client retrieves URI Template from e.g. /.well-known/doh.template and then uses that to build DNS request URI. See <https://github.com/dohwg/draft-ietf-doh-dns-over-https/issues/74> https://github.com/dohwg/draft-ietf-doh-dns-over-https/issues/74 for @mnot's suggestion. Thanks, Rory Rory Hewitt Senior Solutions Architect Global Services & Support Akamai Technologies Tel: (408) 650-0035 From: Justin Henck [mailto:henck@google.com] Sent: Thursday, February 8, 2018 11:17 AM To: ek@google.com Cc: Ben Schwartz <bemasc@google.com>; doh@ietf.org; mbishop@evequefou.be Subject: Re: [Doh] Seeking input on draft-03 That would work for the situation I specified, but I think that a .well-known pointer provides the additional benefit of serving more technical users with an advanced configuration. (It is also in-line with the intended use of .well-known as I understand RFC 5785.) Specifically, if an implementer creates an advanced setting whereby you can configure a DOH server with both a domain and an IP (to eliminate the need for bootstrapping) then you have made the user's life easier. And, although a URI is not supposed to change, a .well-known/dns pointer requirement would ensure that capricious servers don't break manually-configured clients. <https://www.gstatic.com/jigsaw/Jigsaw_logo.png> Justin Henck Product Manager 212-565-9811 <https://urldefense.proofpoint.com/v2/url?u=https-3A__google.com_jigsaw&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=h4goE6gK_ZaRrvwi4Hglaq0NyaBCb3I3XALyazxKb6w&m=KrH6cYm-gcGpqevreKzpdpsMm-hErKTCNEthg2TBsTU&s=N-RLQbYhldj1naDovU3jQQtWdiNb5pbKuxXJJ3p663Y&e=> google.com/jigsaw PGP: EA8E 8C27 2D75 974D B357 482B 1039 9F2D 869A 117B On Thu, Feb 8, 2018 at 1:59 PM Erik Kline <ek@google.com <mailto:ek@google.com> > wrote: Sounds like you might want a (TXT) record at the zone cut level? On 8 February 2018 at 10:55, Justin Henck <henck@google.com <mailto:henck@google.com> > wrote: > I would like to see a way for clients to discover a DNS server hosted on a > certain domain. Perhaps a .well-known/dns path that contains a relative > pointer and other metadata. I'm imagining a use case whereby the user could > choose to rely upon an organization that they find trustworthy which is > offering DNS, without needing to do a significant amount of discovery (e.g. > "maybe known.tld has a DNS server?"). You could of course also have an > absolute pointer, but then you have to account for the situation whereby > known.tld might delegate to unknown.tld. > > Justin Henck > Google > > > On Thu, Feb 8, 2018 at 1:21 PM Ben Schwartz <bemasc@google.com <mailto:bemasc@google.com> > wrote: >> >> On Thu, Feb 8, 2018 at 1:11 PM, Mike Bishop <mbishop@evequefou.be <mailto:mbishop@evequefou.be> > wrote: >>> >>> I’m inclined to think this is a positive change. We’re trying to do >>> something better than the current world of “trust the local DNS server >>> because unauthenticated DHCP says so”, and promiscuous trust just because a >>> server claims it support DOH via a .well-known endpoint isn’t really any >>> better. >> >> >> To be clear, the draft never proposed promiscuous trust, which would >> indeed be highly problematic. However, draft-03 does include additional >> language clarifying this point. >> >>> >>> The client should know the hostname(s) of the DOH server(s) it wants to >>> use >> >> >> In draft-03, "knowing the hostname" is not sufficient, because there is no >> default path for DOH. This is the change on which I am seeking input. >> >>> >>> , and it should authenticate the DOH server against that hostname. >> >> >> Yes, definitely. (I believe the draft is clear on this point, but feel >> free to suggest improvements.) >> >>> >>> If a server hosts content and also wants to also serve DOH, there are >>> ways to present a hostname that covers both names (or present two >>> certificates) on an HTTP connection. >>> >>> >>> >>> From: Doh [mailto:doh-bounces@ietf.org <mailto:doh-bounces@ietf.org> ] On Behalf Of Ben Schwartz >>> Sent: Thursday, February 8, 2018 10:05 AM >>> To: doh@ietf.org <mailto:doh@ietf.org> >>> Subject: [Doh] Seeking input on draft-03 >>> >>> >>> >>> Hi all, >>> >>> >>> >>> The authors of draft-ietf-doh-dns-over-https have been making good >>> progress, and a draft-03 is now ready with several changes and >>> clarifications. >>> >>> >>> >>> One important difference is that draft-03 no longer proposes a >>> ".well-known" entry. In draft-02 and prior, clients could check for the >>> presence of a DOH service at the default path, given only the domain name of >>> a server. In draft-03, there is no default path, so clients must be >>> configured with the full URL of the DOH endpoint. >>> >>> >>> >>> Is this change compatible with your use cases? Would this alter the way >>> users interact with your systems? How do you think DOH client configuration >>> should work? >>> >>> >>> >>> Please respond with your thoughts, >>> >>> Ben Schwartz >> >> >> _______________________________________________ >> Doh mailing list >> Doh@ietf.org <mailto:Doh@ietf.org> >> https://www.ietf.org/mailman/listinfo/doh <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_doh&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=h4goE6gK_ZaRrvwi4Hglaq0NyaBCb3I3XALyazxKb6w&m=KrH6cYm-gcGpqevreKzpdpsMm-hErKTCNEthg2TBsTU&s=T69zw0O8NFcgM07c8aK0knaf9RoDeSYGFdN_MXSy4a4&e=> > > > _______________________________________________ > Doh mailing list > Doh@ietf.org <mailto:Doh@ietf.org> > https://www.ietf.org/mailman/listinfo/doh <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_doh&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=h4goE6gK_ZaRrvwi4Hglaq0NyaBCb3I3XALyazxKb6w&m=KrH6cYm-gcGpqevreKzpdpsMm-hErKTCNEthg2TBsTU&s=T69zw0O8NFcgM07c8aK0knaf9RoDeSYGFdN_MXSy4a4&e=> >
- [Doh] Seeking input on draft-03 Ben Schwartz
- Re: [Doh] Seeking input on draft-03 Mike Bishop
- Re: [Doh] [Ext] Seeking input on draft-03 Paul Hoffman
- Re: [Doh] Seeking input on draft-03 Ben Schwartz
- Re: [Doh] Seeking input on draft-03 Justin Henck
- Re: [Doh] Seeking input on draft-03 Erik Kline
- Re: [Doh] Seeking input on draft-03 Justin Henck
- Re: [Doh] Seeking input on draft-03 manu tman
- Re: [Doh] Seeking input on draft-03 Hewitt, Rory
- Re: [Doh] Seeking input on draft-03 Justin Henck
- Re: [Doh] Seeking input on draft-03 Stephen Farrell
- Re: [Doh] Seeking input on draft-03 Patrick McManus
- Re: [Doh] Seeking input on draft-03 manu tman
- Re: [Doh] Seeking input on draft-03 Justin Henck
- Re: [Doh] Seeking input on draft-03 Stephen Farrell
- Re: [Doh] Seeking input on draft-03 Justin Henck